← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Russian-Backed Gamaredon's Spyware Variants
WHITE BITSecurity 2023-02-02 Modified: 2023-03-04
173
IOCs
HIGH VOLUME
"UAC-0010 group's ongoing activity is characterized by a multi-step download approach and executing payloads of the spyware used to maintain control over infected hosts," the SCPC said. "For now, the UAC-0010 group uses GammaLoad and GammaSteel spyware in their campaigns." GammaLoad is a VBScript dropper malware engineered to download next-stage VBScript from a remote server. GammaSteel is a PowerShell script that's capable of conducting reconnaissance and executing additional commands. The goal of the attacks is geared more towards espionage and information theft rather than sabotage, the agency noted. The SCPC also emphasized the "insistent" evolution of the group's tactics by redeveloping its malware toolset to stay under the radar, calling Gamaredon a "key cyber threat."
appdatapublicuserprofilegetrandomusernameoutstringnullnol nopxorbytenewobjecttoolsmsctfmonitorpathpowershell
Indicators of Compromise (173)
All FileHash-MD5 FileHash-SHA256 URL domain hostname FileHash-SHA1
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 136bd98383e5b3e06b63f2d7c72a3d4d 2023-02-02
FileHash-MD5 1bba824db40a7ce52313ed76b55ac5fd 2023-02-02
FileHash-MD5 20531cf42e4f44a96c4aeb4cd7e2d70e 2023-02-02
FileHash-MD5 3376d2b5e6f99d68824b93bad33e4884 2023-02-02
FileHash-MD5 396606ccd506b565d8590cae99be4950 2023-02-02
FileHash-MD5 54cfc650263a61a5c372dd8b4fa6e9e5 2023-02-02
FileHash-MD5 66d7796b61ddac70f748cbc1ff26dfef 2023-02-02
FileHash-MD5 6c6fbdd3dcf6919d6d2aff8065892b2c 2023-02-02
FileHash-MD5 7622a8f0bb0b97e17e186758f730af2d 2023-02-02
FileHash-MD5 7d200a3eb82b9b3c60daa0866f9b6db9 2023-02-02
FileHash-MD5 7e5ea867d5f4ed45dd26e304cef98678 2023-02-02
FileHash-MD5 7f0270c87e1d14d95c51cd303dbab195 2023-02-02
FileHash-MD5 82e0e0838c6c8abf103d4e5dab78b703 2023-02-02
FileHash-MD5 83b3fd87ee87be5708326f99d4db3bbd 2023-02-02
FileHash-MD5 859278e356de512859cd5bb94d09e9e4 2023-02-02
FileHash-MD5 897c859e25576146f4e03329f076bd40 2023-02-02
FileHash-MD5 904803767f7d3c8f2f947f40f8ba6272 2023-02-02
FileHash-MD5 94031409d9f552e174dcc66e2b3bd45b 2023-02-02
FileHash-MD5 9428c3fb7d4ae783a348561d5fa7b39e 2023-02-02
FileHash-MD5 949d29f97c11abeab41075bf2a6e9dfd 2023-02-02
FileHash-MD5 9da690670ff22a610f632251538888c4 2023-02-02
FileHash-MD5 9db94f4c9dba8adb2c13f1962c1fcaa6 2023-02-02
FileHash-MD5 a1b63c92db35c90e1058813919446c21 2023-02-02
FileHash-MD5 a34a506a965669daf00075c5a22f7187 2023-02-02
FileHash-MD5 a73326f0373131fdd4814b9fc67c7e34 2023-02-02
FileHash-MD5 afa8f2b0ea413c568549360e8dfebe0a 2023-02-02
FileHash-MD5 b6840f52a5c655d22c70f14333238409 2023-02-02
FileHash-MD5 b8686b1038a1f4c162c1f0454169fec8 2023-02-02
FileHash-MD5 c5ab39da6f015a26edb916a0e37b9d57 2023-02-02
FileHash-MD5 db5606f0010bb7fdc1e10174055b0f93 2023-02-02
FileHash-MD5 dc7266e0eed4a67e1bea6e044c114387 2023-02-02
FileHash-MD5 df887652a92d1103d5131aa68757b2cc 2023-02-02
FileHash-MD5 e45eeb97da3155179fb1c626ae930eda 2023-02-02
FileHash-MD5 ea8c0a9bccd9fd91b78e06a2a58b559b 2023-02-02
FileHash-MD5 f046e20e2429a47194cf7cb76db1dfd2 2023-02-02
FileHash-MD5 ffb49d24a6691bdb3f5f58a632ac4447 2023-02-02
FileHash-SHA256 00fe49d9fde36aace2e9c35962ac11f8595b8452d84ba02f4511754ced831d66 2023-02-02
FileHash-SHA256 1113fc222132460fe481ed0a62fb3fe1426bc920cdb01d334c7a7a6ef952dfee 2023-02-02
FileHash-SHA256 143cc8dade3ac835c9114333e05544b52dc57a1273cbdd4aca38253a710c92ab 2023-02-02
FileHash-SHA256 1928ea04a52ea5ced87305cc001e693385ecbb8d3b4c64c1288d4b223de841dd 2023-02-02
FileHash-SHA256 1b59868b460359f46c6ae0a01b6f34c89a33b79992a03573fc40bd3c501cbea4 2023-02-02
FileHash-SHA256 24fe5b916433ae295685dddcc5c808fb4cd3d3a2c3d999b721f4e650773b1ed4 2023-02-02
FileHash-SHA256 2cb17eb3450b4cfad148427986410cda69d47a124a7dea43c577a55569ff3761 2023-02-02
FileHash-SHA256 2dfef7c52c05c3b88818edd7764ef1f1d41c1450918441e6a5d8b1518b80ac3e 2023-02-02
FileHash-SHA256 430206ba1fbd0c869b71608ad1808febfb067e086d0b330225b5afcddc1af352 2023-02-02
FileHash-SHA256 452d40893e9973ec5e4779ea830320d80999b09a36113b7d86de866a02823a3c 2023-02-02
FileHash-SHA256 564aba6e5366347b1e522b2af7a46fa54e6d23af4ce17b2dd3a5d45d925c7aa4 2023-02-02
FileHash-SHA256 6cb0ef2538cd074fbcccca5a96bb21538529220eeeeaca63e06a18cbbc6a9eb4 2023-02-02
FileHash-SHA256 6cccc179db19c405cc313f60d3bb09e00f7b273ec3c6ddf03ae4cba3fcac961d 2023-02-02
FileHash-SHA256 6f2004a5b3f4f1c84c0e0e08181cfb8bbc0f50617e58d57cecddf4789587880a 2023-02-02
FileHash-SHA256 788dc18de55d73027011a0b109b4b795e6ae485bdda7dd07deecab6af386170c 2023-02-02
FileHash-SHA256 79c340f1d8c78b96d4e92a78d9c407494769df79ab491dfe2b1955f26af4e388 2023-02-02
FileHash-SHA256 7d2c607bb9627e14d572356ff653b587ea0d7f7b2c1f4ab45bb979b81f9369ae 2023-02-02
FileHash-SHA256 7e3cfa63b31ed9e4606e43b29a704924a27b62d6b9a1360b462d9998deed549f 2023-02-02
FileHash-SHA256 81d8c20a19e1c2c3e5bfd6f8a39499321f42b07f6b94c9e0bb98fd6cfd4355a8 2023-02-02
FileHash-SHA256 88dc766c51f20c93b670bd67b543b70e8d627c9afc041ee74aa6b64c59eb1c7d 2023-02-02
FileHash-SHA256 968f841df2fd5b7458d15569b756088691e6d4a04e5f6f22df1c773e1fe35129 2023-02-02
FileHash-SHA256 9b81fbe9f7157e7873862fe7fabd9df5fdb8197bf1cc01b5e34cbebf5ff0de13 2023-02-02
FileHash-SHA256 9c724d00f28b3453e283e5b0ef5c8455bb61d4c902c53cfb38f07ffb4e17e18d 2023-02-02
FileHash-SHA256 a0c2429616e7bf8a36951d45cbc72a1eab4d4a1a1e8266753a75bdd683737814 2023-02-02
FileHash-SHA256 a2361ca9fd84fd41d62628e2310317831f47f8e973c2bda24dadc0972fb983d6 2023-02-02
FileHash-SHA256 afcb200cf4a646397f67c37d396cd5573db2575ae945b3251dfb6d285d1e6724 2023-02-02
FileHash-SHA256 bcb63de0b16c449b054982ad1d4c23810a396e061ae45801df4d64acf4e82674 2023-02-02
FileHash-SHA256 c172c8733c92d914574290eb46d8a6c1b49387d8d4dceafc3e13d953395c9710 2023-02-02
FileHash-SHA256 c19dbecf59908f530a63705af62a3596531f7eecbb971a2926670fb4c0697a2c 2023-02-02
FileHash-SHA256 c82728665fafb66828f3fe2d9ee28b2e670e958abc1f5dda6c5e460db2502207 2023-02-02
FileHash-SHA256 cb81b6516f13844c653a9fcbbbeed099dde5be307ec66523be7678d577dca477 2023-02-02
FileHash-SHA256 dcb69e1c9a6bff950481cf1f493b3e9665133e9afae528f0d38d72e83607a6d0 2023-02-02
FileHash-SHA256 f1f4ed4122564c90b473617d9989a2a90af1d93c4b75c8cfecd564ff71f803a0 2023-02-02
FileHash-SHA256 f2f6077597d1fdb84bbb35aebd169af522767bc3a6aae58e778c429626f376a3 2023-02-02
FileHash-SHA256 f628fa53fc3f91c1d812246291b3a188904ab091c735e8dc7ed644103a0eb5c6 2023-02-02
FileHash-SHA256 f96489503934b654e00cbd0c48845d66aaf3b91f5bd53fd05d7ecfc48a66dc20 2023-02-02
URL http://138.197.199.151/get.php 2023-02-02
URL http://138.197.199.151/get.php' 2023-02-02
URL http://139.59.166.152/get.php 2023-02-02
URL http://144.202.61.174/get.php 2023-02-02
URL http://157.245.99.132/get.php 2023-02-02
URL http://159.203.11.73/get.php 2023-02-02
URL http://178.62.108.75/get.php 2023-02-02
URL http://192.241.133.108/get.php 2023-02-02
URL http://194.180.174.73/1.txt 2023-02-02
URL http://194.180.174.73/1.txt' 2023-02-02
URL http://194.180.174.73/pswd.php 2023-02-02
URL http://45.77.196.211/get.php 2023-02-02
URL http://45.77.237.252/get.php 2023-02-02
URL http://66.42.102.21/get.php 2023-02-02
URL http://70.34.218.135/get.php 2023-02-02
URL http://atlantar.ru/get.php 2023-02-02
URL http://dnslookup.seowebchecker.com/ 2023-02-02
URL http://lover.printing82.detroito.ru/DESKTOP-P5BRFLE/luncheon.nab 2023-02-02
URL http://motoristo.ru/get.php 2023-02-02
URL http://motoristo.ru/get.php' 2023-02-02
URL http://www.portcheckers.com/dns-lookup 2023-02-02
domain atlantar.ru 2023-02-02
domain bubenci.ru 2023-02-02
domain callsol.ru 2023-02-02
domain clipperso.ru 2023-02-02
domain cooperi.ru 2023-02-02
domain detroito.ru 2023-02-02
domain faithfully.nab 2023-02-02
domain farafauler.ru 2023-02-02
domain fishitor.ru 2023-02-02
domain flayga.ru 2023-02-02
domain ganara.ru 2023-02-02
domain hawksi.ru 2023-02-02
domain hofsteder.ru 2023-02-02
domain kilitro.ru 2023-02-02
domain kurapat.ru 2023-02-02
domain leonardis.ru 2023-02-02
domain lnasfe.ru 2023-02-02
domain lopasts.ru 2023-02-02
domain luncheon.nab 2023-02-02
domain mafirti.ru 2023-02-02
domain metanat.ru 2023-02-02
domain mitlubald.ru 2023-02-02
domain moolin.ru 2023-02-02
domain motoristo.ru 2023-02-02
domain nxkad.ru 2023-02-02
domain paparat.ru 2023-02-02
domain pasamart.ru 2023-02-02
domain qkcew.ru 2023-02-02
domain rncsq.ru 2023-02-02
domain session.finance 2023-02-02
domain tarlit.ru 2023-02-02
domain tbwelo.ru 2023-02-02
domain wicksl.ru 2023-02-02
domain xcqef.ru 2023-02-02
hostname dnslookup.seowebchecker.com 2023-02-02
hostname lover.printing82.detroito.ru 2023-02-02
hostname www.portcheckers.com 2023-02-02
FileHash-MD5 42b6b2533135574ac8a2027df465b295 2023-02-02
FileHash-MD5 4d549fa15eadeefd30f5269a2b3995c4 2023-02-02
FileHash-MD5 4d6eac0b0dd1adc47d81b163d03e5f4b 2023-02-02
FileHash-MD5 6fe2a60e3f4c15c60128562d006696b6 2023-02-02
FileHash-MD5 7ffb80d87ab0fe5e2c7f7338ec22a7b0 2023-02-02
FileHash-MD5 93beb3454664314826a843ae28befe96 2023-02-02
FileHash-MD5 9997462826c26ab82a29e1c0712bbbb5 2023-02-02
FileHash-MD5 a03cb9a28fa5ce72354e1556731a68d4 2023-02-02
FileHash-MD5 ed7bb4cc6dd1079efbe4bc3ceffd4250 2023-02-02
FileHash-SHA1 59948e7126a2927a53af0593f85dad2f5ae5c6e0 2023-02-02
FileHash-SHA1 62d4677fcf600ac0c4933bd80dec255868827e00 2023-02-02
FileHash-SHA1 9f5fe4bab163de5eedb995beed21c75578284fa4 2023-02-02
FileHash-SHA256 05457a790782542d3f16c9b8368a077b458ff7349856e6da541223a51e94b9c8 2023-02-02
FileHash-SHA256 2708b9f8a196c50c8c6d6001af5b02e3c5d113e1977a686319eae7652ecbc1d3 2023-02-02
FileHash-SHA256 3442724f36fcaa1822bdafc3417e6bc7488898c4acbc73f0114ffeb6a3604164 2023-02-02
FileHash-SHA256 521c8345351144437033b41dfb5e4878c3b3a7ade4e2d0ccdcc5699d0b4d3ac6 2023-02-02
FileHash-SHA256 72028cff34d33e26bf01e4bf63c8b977ece33b3809bd6dd075bcff343895dc4b 2023-02-02
FileHash-SHA256 91e9325dd4972c0d40becfff6e65399c46aeb210a3b9a1f75d453cc8fe87d09c 2023-02-02
FileHash-SHA256 b10bc0bb30b3c1d0c404d3a902ccebc425f23cb5a66c02104739f226c77b5816 2023-02-02
FileHash-SHA256 cf919033a2a4f76a4b78499be027090a0a7980a2f536df53eebb2140478abeb7 2023-02-02
FileHash-SHA256 d8236c841b07c933d4de0ef9ed854902f6aae73b83137d9ffbe29fb879aa094f 2023-02-02
URL http://bugiplaysec.com/fjasmngptwq214.php 2023-02-02
URL http://bugiplaysec.com/fjasmngptwq214.php' 2023-02-02
URL http://bugiplaysec.com/ssu.gov.ua/ 2023-02-02
URL http://ocspdep.com/ssu.gov.ua/ 2023-02-02
URL http://troadsecow.com/ 2023-02-02
URL http://troadsecow.com/76bja21412/c6bd801d882333fdb93dd17308b3e2de3a78cc05_.php 2023-02-02
URL http://troadsecow.com/76bja21412/c6bd801d882333fdb93dd17308b3e2de3a78cc05_1.php 2023-02-02
URL http://troadsecow.com/cbzc.policja.gov.pl 2023-02-02
URL http://troadsecow.com/fjasmngptwq95824s.php 2023-02-02
URL http://troadsecow.com/fjasmngptwq95824s.php' 2023-02-02
URL http://troadsecow.com/gkaslnwqpasg/fx64g15g.xml 2023-02-02
URL http://troadsecow.com/gkaslnwqpasg/usersfolders/%SID%/59948e7126a2927a53af0593f85dad2f5ae5c6e0.php 2023-02-02
URL http://troadsecow.com/gkaslnwqpasg/usersfolders/%SID%/62d4677fcf600ac0c4933bd80dec255868827e00.php 2023-02-02
URL http://troadsecow.com/gkaslnwqpasg/usersfolders/%SID%/9f5fe4bab163de5eedb995beed21c75578284fa4.php 2023-02-02
URL http://troadsecow.com/lg5362s5215098-xvbxzcnsaf4lmsa.php 2023-02-02
URL http://troadsecow.com/lg5362s5215098-xvbxzcnsaf4lmsa.php?idu=%SID% 2023-02-02
URL http://troadsecow.com/mfa.gov.ua/ 2023-02-02
URL http://troadsecow.com/mfa.gov.ua/downloadapp.php 2023-02-02
URL http://troadsecow.com/policja.gov.pl 2023-02-02
domain bugiplaysec.com 2023-02-02
domain ocspdep.com 2023-02-02
domain troadsecow.com 2023-02-02
References (2)
↗ https://cert.gov.ua/article/1229152 ↗ https://cert.gov.ua/article/3761023